In light of the increasing number of high-profile ransomware attacks that have recently occurred and the threat these attacks pose to the health care industry in particular, the Office for Civil Rights (“OCR”) released guidance on July 11, 2016 regarding ransomware and HIPAA. This guidance outlines activities required by HIPAA that will assist entities in proactively preventing and efficiently responding to ransomware attacks. For example, the guidance addresses:
- Implementing a security management process, including conducting a risk analysis and mitigating identified risks;
- Implementing procedures to guard against and detect malicious software;
- Training users on malicious software protection and reporting of malicious software detections;
- Implementing access controls to limit access to ePHI; and
- Maintaining an overall contingency plan.
The guidance also addresses how ransomware attacks can be analyzed from a breach notification perspective under HIPAA. It is important to note that OCR expects covered entities to report ransomware attacks unless the covered entity can show, through a documented risk assessment, that there is a low probability that protected health information has been compromised.
Included with this guidance was a letter from Sylvia Burwell, Secretary of the U.S. Department of Health and Human Services, addressed to health care company CEOs. This letter, dated June 20, 2016, highlights the increasing threat of ransomware, and emphasizes key points about ransomware that CEOs should share with senior leadership. One of the main points noted in the letter and its attached interagency guidance is the significance of cybersecurity preventive measures to help protect against these ransomware attacks. The letter also outlines appropriate steps that can be taken by an organization in response to a ransomware attack, including considerations when determining whether to pay the demanded ransom.
These documents emphasize that OCR is taking ransomware attacks very seriously, and that organizations are expected to implement comprehensive policies and procedures to prevent, detect, respond to, and remediate these attacks.